LastPass? HardPass for HKS.
The question at hand is this: Should the Harvard Kennedy School make LastPass, a password management tool, mandatory for all students, faculty, and staff. The idea being that with one master password, LastPass can handle the rest. As the website shows, a simple “Fifiatemywoolsox!”, unique to your own Fifi (Cat? Dog? I vote cat) is enough to never be concerned about security again. So why are we asking this question? What is the problem we are trying to solve? Is it related security? Convenience? Streamlining?
At first “pass” (pun intended? you decide), it seems completely intuitive to have one-stop shopping for all of your password encryption needs. Enter LastPass. Business opportunity! How many of us have dozens of websites and user names and passwords stored away on a word document, excel file, notepad, or scribbled on pieces of paper that occupy desk drawers and wallets? And how much time have we all spent getting locked out of accounts, calling a support line confirming our identity, and starting the process all over again? LastPass boasts over 26 million users, a 4.5 star rating from 27,000 reviews on the Chrome store, and a portfolio of 70,000 businesses. Sounds good, right? Do continue.
The value proposition LastPass offers is alluring. “Auto-pilot for all your passwords”. Who could argue with that? Less thinking. Less phone calls. Less hassle. Words like simplify, store, share… it appeals to all of us who want some brain space to open up along with every new account we open or website we access. AND it monitors the dark web? How many people even know what the hell that means? But it sure sounds good. Dark is bad. LastPass will protect me. Therefore, LastPass = Good? And of course, price. A $0 price point is a great deal, or $3/month for an upgrade. Add in a list of website mentions from highly regarded outlets such as the NYT, Economist, PCMag, and Lifehacker, and the credibility seems bulletproof.
However, with all of that said, it is wise to give LastPass a HardPass. As a required gateway for HKS students, faculty, and staff, there are better options available. But let us first explore the drawbacks to LastPass.
Of course, data security for any password protection platform is primary as part of a viable business model, both on the business end and the user end. This necessity is of even more importance at an institution of higher education, where treasure troves of data, research, and personal information are held. And one can argue (I will, right here, at this moment) that it is of perhaps MORE importance at a place like HKS, which not only enrolls students from across the globe, but employees faculty who are world renowned in their respective fields. Defense? Diplomacy? Cybersecurity? National Security? We’ve got that. The idea of a foreign adversary (Russia, anyone?) seeking to breach the walls of HKS for intelligence is well documented. Simply put, HKS has to have absolute assurance that its systems are as close to impenetrable as possible, and always on the lookout for breaches, because too much is at stake, not just from an institutional standpoint, but for national security potentially as well.
So then, why not LastPass as a way to provide a single encrypted password for all in the HKS orbit? If it’s good enough to use for Hulu and Slack, it should be good enough for HKS, right? Well. No. An encrypted password is only as good as its weakest link, on both sides.
HKS would have to determine which direction the password would flow. Would it be expected that all HKS users create a LastPass password, and then migrate that to all of their other accounts? Or just leave it with HKS? Or, if they already have LastPass, to migrate that password into the HKS network? A single password opens up many doors for hacking, and if someone hits the jackpot on one, then your Netflix account is just around the corner, and Bank of America, etc. And on the flip side, and of more importance in this dialogue, is if someone can maneuver into HKS. LastPass, in effect, by trying to “simplify” log-ons, eliminates risk distribution across passwords (even if you tend to use the same, or similar ones, on most of your accounts).
Even more problematic is the simple fact that, through LastPass, HKS would be forcing a host of stakeholders onto a single service provider, one whose entire purpose is to connect accounts and reduce redundancy. Personally, if I were told I “had” to use LastPass, I would only use it for HKS related log-ons, and not connect it to anything else.
Currently, HKS uses the HarvardKey system, which has multi-factored authentication via “Duo Mobile”. That certainly seems sufficient to log onto all of the necessary Harvard platforms such as Canvas, myHarvard, and the seemingly dozens of other restricted access sites. Would I want to be told that HarvardKey and Duo Mobile had to be connected to any of my other service provider accounts? Nope.
Ultimately, it would be foolish for HKS to focus efforts related to security around a third party, lesser known entity such as LastPass. The upside is unclear, as compared to alternatives, and the risk vulnerability is apparent. If the objective, of course, is to reduce threats, then LastPass does very little to address that. If you think the KGB (or amateur hacker) could never crack “Fifiatemywoolsox!”, then maybe LastPass is a great tool. But if your confidence level is not there quite yet, then… LastPass gets a HardPass.